© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 1 © 2013 Cisco and/or its affiliates. All rights reserved. Evaluation Process

Cisco Confidential 2 Evaluation Process 1. Develop Test Plan / Requirements List o IPS vs. IDS, app control, vulnerability testing, performance requirements, etc… 2. Scope of Appliances 3. Kick-Off Install 4. Weekly Reviews 5. Recap

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 What Sourcefire Will Provide Dedicated Sales Engineer Appliances (sensors and management) Weekly Review of System Executive Reports Pricing for Production Devices Event Analysis

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 What Customer Will Provide / Prep Network Diagram Rack space, cabling, & shelf or other place to stack the appliance (railkits are not always shipped with evals) available power (maximum of (4) power connections SPAN port identified, configured, and traffic verified IP addresses for management ports on each appliance Depending on the location of the components, firewall or other network configuration maybe required to allow sensors to connect to a Defense Center: Port 8305 is the default communications port for DC to Sensor communications Ports 443 and 22 are for communication directly with the DC or Sensors. NTP server address Unauthenticated Mail Relay address Identified InfoSec point of contact and/or Network team contact for install setup, addressing, etc if any network configs needed

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Evaluation Checklist Requirements Performance, application control, malware, inspection, API integration, custom rules, centralized management, etc… Testing environment Production or Lab General architecture Types of connections Integration with other technology Inline / Passive Testing tools Point of contact / groups involved Timeline

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Onsite Eval Kick-Off Meeting Review design, requirements and action plan Quick recap of dashboards, workflows, FireSIGHT context viewer, reports Installation Schedule weekly meetings / GMT for next 3-4 weeks to cover: o Reports, Events, Fine Tuning, Basic Configuration

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Recap Meeting General Feedback Overview of Methodology Demo of Configuration Key Findings; Events, Performance High Impact Threat Report Requirement Review Discuss Possible Purchase Timeline

8 8 Sample NGIPS Requirements List Management Platform Hierarchical management Management HA Data views and dashboard Customization Ease of deployment and ongoing administration Central management Ability to drill down during investigation Reporting Role-based management External authentication (RADIUS, LDAP, etc.) Fully searchable event database Ability to create and save custom searches Custom dashboards per user Full audit logging Automated updates Fully integrated reporting system Multiple report formats (PDF, CSV, HTML, etc.) Ability to see detailed performance information Multi-tennant management Packet Capture for ALL Events Contextual Awarenss and Security Automation Real-time Adaptive IPS (Based on RNA Host Profile) Automatic IPS Event Correction: Impact Analysis. Business Relevance, Risk Level, Application Automatic/Selfing Tuning Option Ability to fully automate tasks such as reports, updates, backups, etc. Ability to prioritize events based on relevance to protected environment Ability to automatically tune policy based on devices in protected environment Ability to identify devices (printers, routers, switches, etc.) Ability to identify operating systems Ability to identify applications Ability to identify services Ability to use externally generated flow data Ability to look for anomalous traffic patterns Ability to identify users Ability to detect anolmolous network device (compliance white list) Security Intelligence IP reputation / blacklists Detection of known C&C servers Geolocation IPS Industry validation (NSS Labs, Gartner, etc.) Threat detection Ability to see rule/filter/signature (open rules) Ability to edit existing rules Ability to create custom rules Packet capture Ability to download packet captures Ability to generate flow data Ability to inspect IPv6 traffic Ability to inspect traffic inline or out of band Application Control Features Ability to view a large range of applications Ability to control applications Ability to control sub-applications or specific application functionality Ability to control applications by user or group Ability to control applications by risk level Ability to control applications by business relevance Ability to define application groups Ability to maintain performance while performing application control Ability to control mobile devices / OS Click for full list

9 9 Sample Malware Requirements  Full list Full list Find root cause of infected machines Provide protection if an endpoint is out of the network Leverage the cloud for real-time analysis Protect against end-points and mobile devices including tablets and mobile phones Locate patient zero for a specific threat i.e when and who it was first installed or executed Retroactively provide details on who and when malware was downloaded and executed Provide file analysis (how many data points?) Include screen captures of the file when if was first seen to assis with educating end-users what to look for Remediate via custom detections i.e cloud-based SHA or original file Remediate via advanced custom i.e. Client-based, uses advanced techniques (e.g. offsets, wildcards, regular expressions) Remediate via Application blocking lists Remediate via Custom white lists Automatically creates simple custom detections Overview of Functionality Events & Indicators of Compromise - events, relationships between suspicious behaviors (e.g. Word or Java executing other files), etc etc etc etc etc File Trajectory - Patient Zero, when malware was first seen on which computer in your environment, its parentage, lineage, how it moves between hosts Device Trajectory - relationship of files and network traffic on a single computer. Parent-Child relatonships on a machine. Files spawning other files. JAVA.exe creating other files. File Analysis - Once you have the "unknown" file - you can run it through our sandbox to get screen shots, PCAPs, original sample, static analysis, running analysis of files dropped, URL connected to. Control - Simple and Advanced methods to control / clean-up. Setup & Config & Reporting etc - groups, policies etc etc

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Bigger, Faster, Stronger Reports

12

13 Attack Risk Network Risk

14 Network Risk

15

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Better Together

Sample Items

18 Brief Recap  90 day graphs provided ▸ Can we get sample pcaps?  Current priority for traffic from outside coming in  External FW and Internal PCI segments ▸ Eval to focus on IDS  Other technologies include RSA Tripwwire, Secure ID token, syslog exports  10 Gig future options  Discussed latency concerns, requirements for dual power  Application control options  Cisco gear

19 Eval Items Provided  (1) 3D7120 Sensor  (1) DC1500 Management Server with FireSIGHT  AppControl license for additional visiblity

20 POV Items Needed Rack space, cabling, & shelf or other place to stack the appliance (railkits are not always shipped with evals) available power (maximum of (4) power connections SPAN port identified, configured, and traffic verified IP addresses for management ports on each appliance Depending on the location of the components, firewall or other network configuration maybe required to allow sensors to connect to a Defense Center: Port 8305 is the default communications port for DC to Sensor communications Ports 443 and 22 are for communication directly with the DC or Sensors. NTP server address Unauthenticated Mail Relay address Identified InfoSec point of contact and/or Network team contact for install setup, addressing, etc if any network configs needed